#!/bin/bash

get_ca() {
    # 创建根CA私钥
    openssl genrsa -out ca.key 2048
    # 生成根CA证书请求
    openssl req -new -key ca.key -out ca.csr -subj "/C=CN/ST=Bj/L=bj/O=MyOrg/OU=RootCA/CN=MyRootCA"
    # 自签名根CA证书（有效期10年）
    openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey ca.key -in ca.csr -out ca.crt
}

get_intermediate() {
    # 创建中间CA私钥
    openssl genrsa -out intermediate.key 2048
    # 生成中间CA证书请求
    openssl req -new -key intermediate.key -out intermediate.csr -subj "/C=CN/ST=Bj/L=bj/O=MyOrg/OU=IntermediateCA/CN=MyIntermediateCA"
    # 创建中间CA扩展配置文件
    cat > intermediate.ext <<EOF
    basicConstraints=CA:TRUE,pathlen:0
    keyUsage=keyCertSign,cRLSign
EOF
    # 用根CA签署中间CA证书
    openssl x509 -req -days 3650 -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -in intermediate.csr -out intermediate.crt -extfile intermediate.ext
}

get_server() {
    # 创建服务端私钥
    openssl genrsa -out server.key 2048
    # 生成服务端证书请求
    openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Bj/L=bj/O=MyOrg/OU=Server/CN=server.example.com"
    # 创建服务端扩展配置文件
    cat > server.ext <<EOF
    subjectAltName=DNS:server.example.com
    extendedKeyUsage=serverAuth
EOF
    # 用中间CA签署服务端证书
    openssl x509 -req -days 365 -sha256 -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -in server.csr -out server.crt -extfile server.ext
}

get_client() {
    # 创建客户端私钥
    openssl genrsa -out client.key 2048
    # 生成客户端证书请求
    openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Bj/L=bj/O=MyOrg/OU=Client/CN=client.example.com"
    # 创建客户端扩展配置文件
    cat > client.ext <<EOF
    subjectAltName=DNS:client.example.com
    extendedKeyUsage=clientAuth
EOF
    # 用中间CA签署客户端证书
    openssl x509 -req -days 365 -sha256 -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -in client.csr -out client.crt -extfile client.ext
}

get_crl() {
    # 创建crlnumber文件
    touch crl_index.txt
    cat > crl.cnf <<EOF
    [ca]
    default_ca = CA_default
    [CA_default]
    default_md = sha256
    database = crl_index.txt
    crlnumber = crlnumber
EOF
    # 生成三本独立CRL
    ## 1. 吊销服务器证书的CRL
    echo "01" > crlnumber
    openssl ca -config crl.cnf -revoke server.crt -keyfile intermediate.key -cert intermediate.crt
    openssl ca -config crl.cnf -gencrl -crldays 1000 -out server_revoked.crl -keyfile intermediate.key -cert intermediate.crt

    ## 2. 吊销客户端证书的CRL
    echo "01" > crlnumber
    openssl ca -config crl.cnf -revoke client.crt -keyfile intermediate.key -cert intermediate.crt
    openssl ca -config crl.cnf -gencrl -crldays 1000 -out client_revoked.crl -keyfile intermediate.key -cert intermediate.crt

    ## 3. 空白CRL（不吊销任何证书）
    echo "01" > crlnumber
    openssl ca -config crl.cnf -gencrl -crldays 1000 -out empty.crl -keyfile intermediate.key -cert intermediate.crt
}

encrypt_key() {
    openssl pkey -in server.key -passout pass:123456 -out server.enc.key -aes-128-cbc
    openssl pkey -in client.key -passout pass:123456 -out client.enc.key -aes-128-cbc
}

get_ca
get_intermediate
get_server
get_client
get_crl
encrypt_key
